From 2bf4918cb5e880e1a8f9c690819c2fe58f544e9b Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 24 Nov 2025 16:11:20 +0100 Subject: [PATCH 1/7] wpb-21521 updated wire-server module --- wire-server | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wire-server b/wire-server index e77e1f9..25e1fe9 160000 --- a/wire-server +++ b/wire-server @@ -1 +1 @@ -Subproject commit e77e1f97c89b7d290a4a8f2e99930874077cbd52 +Subproject commit 25e1fe9106e26640569988291e501bebfa56ca98 From 9af587654bd84f5d79c452dd08c185cacb3ba510 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Wed, 26 Nov 2025 10:47:45 +0100 Subject: [PATCH 2/7] update documentation for demo-wiab for recent changes in wpb-17321 --- src/how-to/install/demo-wiab.md | 379 ++++++++++++++++++++++++-------- src/how-to/install/planning.md | 27 +-- 2 files changed, 299 insertions(+), 107 deletions(-) diff --git a/src/how-to/install/demo-wiab.md b/src/how-to/install/demo-wiab.md index 26bdc21..084508d 100644 --- a/src/how-to/install/demo-wiab.md +++ b/src/how-to/install/demo-wiab.md @@ -91,53 +91,79 @@ graph TB class GitCommands gray ``` -### Installation Guide +This guide provides detailed instructions for deploying Wire-in-a-Box (WIAB) using Ansible on an Ubuntu 24.04 system. The deployment process is structured into multiple blocks within the Ansible playbook, offering flexibility in execution. It is designed to configure a remote node, such as example.com (referred to as deploy_node), to install Wire with a custom domain, example.com (referred to as target_domain). These variables must be verified in the file [ansible/inventory/demo/host.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/inventory/demo/host.yml) before running the pipeline. -This guide provides detailed instructions for deploying a Demo Wire-in-a-Box (WIAB) using Ansible on an Ubuntu 24.04 system. +Note: this guide and the shipped playbooks are highly tailored to make testing straightforward on a single VM that has a public IP address. Using a public IP simplifies obtaining HTTPS certificates (for example via cert-manager HTTP challenges) and making external call configurations during tests. If you need to deploy in a private or restricted network, the playbooks can be tuned: skip or enable components via Ansible tags and adjust Helm chart values (see the `--tags` / `--skip-tags` usage below and the `values/` files generated by the playbooks). -The deployment process is structured into multiple blocks within the Ansible playbook, offering flexibility in execution. It is designed to configure a remote node (referred to as deploy_node), to install Wire with a custom domain, example.com (referred to as target_domain). - -These variables must be verified in the file [ansible/inventory/demo/host.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/inventory/demo/host.yml) before running the pipeline. - -Typically, the deployment process runs seamlessly without requiring any external flags. However, if needed, you have the option to skip certain tasks by passing the conditional flags defined for a task. - -For instance, if you wish to bypass the [Wire Artifact Download tasks](#8-wire-artifact-download) —which can be time-consuming—you can manage the artifacts independently and skip this step in the Ansible workflow by using the flag `-e skip_download=true`. +Typically, the deployment process runs seamlessly without requiring any external flags. However, if needed, you can skip certain tasks using their associated tags. For example, if you wish to skip the Enable Cert Manager hairpin Networking task—which is only required when using cert-manager with Let's Encrypt—you can use --skip-tags cert_manager_networking and configure your own certificates instead (see Bring your own certificates([./docs_ubuntu_22.04.md#bring-your-own-certificates](https://github.com/wireapp/wire-server-deploy/blob/master/offline/docs_ubuntu_22.04.md#bring-your-own-certificates)). For more detailed instructions on each task, please refer to the [Deployment Flow section](#deployment-flow). -## Deployment requirements: - - Clone of [wire-server-deploy repository](https://github.com/wireapp/wire-server-deploy) - - The inventory file [host.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/inventory/demo/host.yml) in the wire-server-deploy needs to be verified and updated with the following default variables: - - ansible_host: aka **deploy_node** i.e. IP address or hostname of the VM where Wire will be deployed (Mandatory) - - ansible_user: username to access the deploy_node (Mandatory) - - ansible_ssh_private_key_file: SSH key file path for username@deploy_node (Mandatory) - - target_domain: The domain you want to use for wire installation eg. example.com (Mandatory) - - wire_ip: Gateway IP address for Wire, could be same as deploy_node's IP (Optional). If not specified, can be calculated automatically, given below network ACLs are in place. If the deploy_node is a part of a private network (and not reachable of public network), then it has to be explicitly defined. - - artifact_hash: Check with wire support about this value. - -## DNS requirements: - -- two DNS records for the so-called \"nginz\" component of wire-server (the main REST API entry point), these are usually called [nginz-https.\] and [nginz-ssl.\]. -- one DNS record for the asset store (images, audio files etc. that your users are sharing); usually [assets.\] -- one DNS record for the webapp (equivalent of , i.e. the javascript app running in the browser), usually called [webapp.\]. -- one DNS record for the account pages (hosts some html/javascript pages for e.g. password reset), usually called [account.\]. -- one DNS record for team settings, usually called [teams.\] -- one DNS record for SFTD (conference calling), usually called [sftd.\]. +## Deployment Requirements + +- **Ansible Playbooks**: + - The `ansible` directory from [wire-server-deploy repository](https://github.com/wireapp/wire-server-deploy) + - The inventory file [ansible/inventory/demo/host.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/inventory/demo/host.yml) to update and verify the following variables (required unless noted optional): + - ansible_host: aka **deploy_node** i.e. IP address or hostname of VM where Wire will be deployed (Required) + - ansible_user: username to access the deploy_node (Required) + - ansible_ssh_private_key_file: SSH key file path for ansible_user@deploy_node (Required) + - target_domain: The domain you want to use for wire installation eg. example.com (Required) + - wire_ip: Gateway IP address for Wire, could be same as deploy_node's IP (Optional). If not specified, the playbook will attempt to detect it (network ACLs permitting). If your deploy_node is only reachable on a private network, set this explicitly. + - artifact_hash: Check with wire support about this value (used by the download step) + +Note: the playbook installs a set of system tools during the `install_pkgs` tasks (for example `docker`/`containerd`, `kubectl`, `minikube` when provisioning a cluster, `yq`, `jq`, `ncat`). If you already have these tools on the deploy node you may skip the `install_pkgs` tag when running the playbook. + +- **Network Access Requirements**: + +| Protocol | Port(s) | Purpose | +|----------|-------------|--------------------------------------------|| +| TCP | 22 | SSH access (for remote management) | +| TCP | 80 | HTTP (certificate renewal) | +| TCP | 443 | HTTPS (primary Wire access) | +| TCP | 3478 | Alternative STUN/TURN traffic | +| UDP | 3478 | STUN/TURN for voice/video calls | +| UDP | 32768-65535 | Voice/video calling traffic (Coturn/SFTD) | + +- Note: If outbound traffic is restricted, [Note on port ranges](https://docs.wire.com/latest/understand/notes/port-ranges.html) should be followed. + +## DNS Requirements + +- two DNS records for the so-called "nginz" component of wire-server (the main REST API entry point), these are usually called `nginz-https.` and `nginz-ssl.` +- one DNS record for the asset store (images, audio files etc. that your users are sharing); usually `assets.` +- one DNS record for the webapp (equivalent of https://app.wire.com, i.e. the javascript app running in the browser), usually called `webapp.` +- one DNS record for the account pages (hosts some html/javascript pages for e.g. password reset), usually called `account.` +- one DNS record for team settings, usually called `teams.` +- one DNS record for SFTD (conference calling), usually called `sftd.` - one DNS TXT record with the contents: `v=spf1 a mx ip4:SERVER-IP-ADDRESS-HERE -all`. It is used to define which mail servers are permitted to send emails from the domain, helping to prevent unauthorized use and enhance email security. -**Note**: The above DNS requirements are verfied in [DNS verification step](#1-dns-verification). +**Note**: The above DNS requirements are verified in [DNS verification step](#1-dns-verification). ## Getting Started -Start by cloning the repository and running the deployment playbook: +**Step 1: Obtain the ansible directory** +Choose one method to download the wire-server-deploy repository: + +**Option A: Download as ZIP** +```bash +wget https://github.com/wireapp/wire-server-deploy/archive/refs/heads/master.zip +unzip master.zip +cd wire-server-deploy-master +``` + +**Option B: Clone with Git** ```bash git clone https://github.com/wireapp/wire-server-deploy.git cd wire-server-deploy ``` -**Note:** Edit the file `ansible/inventory/demo/host.yml` as explained in [Requirements](#requirements) before running the next `ansible-playbook` command. It is recommended to understand the [Deployment Flow section](#deployment-flow) and read [General Tips](#general-tips) before executing the following command: -``` +**Step 2: Configure your deployment** + +Edit the file `ansible/inventory/demo/host.yml` as explained in [Requirements](#requirements) to set up your deployment variables. + +**Step 3: Run the deployment** + +```bash ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/deploy_wiab.yml ``` @@ -149,13 +175,13 @@ The deployment process follows these steps as defined in the main playbook: The playbook starts by verifying DNS records to ensure proper name resolution: - Imports [verify_dns.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/verify_dns.yml) -- Can be skipped by setting `skip_verify_dns=true` +- Can be skipped using `--skip-tags verify_dns` +- Checks for basic DNS record requirements as explained in the document [How to set up DNS records](https://docs.wire.com/latest/how-to/install/helm-prod.html#dns-records) . ### 2. Common Setup Tasks - Installs Netcat (ncat) on the deployment node, required to find a accessible IP address. -- Sets up variables (facts required by ansible) for Kubernetes nodes based on the Minikube profile and number of nodes. -- We are defining the purpose of nodes in the Minikube cluster. +- Sets up variables (facts required by ansible) for Kubernetes node based on the Minikube profile. ### 3. Network Verification @@ -166,110 +192,199 @@ The playbook starts by verifying DNS records to ensure proper name resolution: ### 4. Package Installation - Imports [install_pkgs.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/install_pkgs.yml) to install required dependencies -- Can be skipped by setting `skip_install_pkgs=true` +- Can be skipped using `--skip-tags install_pkgs` ### 5. SSH Key Management -- Imports [setup_ssh.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/setup_ssh.yml) to manage SSH keys for Minikube nodes and SSH proxying for the deploy_node and minikube nodes -- Runs if any of the following tasks are enabled: - - Minikube setup - - Asset host setup - - Offline seed setup +- Imports [setup_ssh.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/setup_ssh.yml) to manage SSH keys for Minikube node and SSH proxying for the deploy_node and minikube node +- **Dependency task:** This task has no tag and runs automatically when `minikube`, `asset_host`, or `seed_containers` are selected +- Cannot be run independently or skipped manually - it's controlled entirely by dependent components +- **Smart dependency:** SSH setup runs when any component that needs it is selected, and is automatically skipped when none of those components are running ### 6. Minikube Cluster Configuration - Imports [minikube_cluster.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/minikube_cluster.yml) to set up a Kubernetes cluster using Minikube - All minikube configurable parameters are available in [host.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/inventory/demo/host.yml) -- Can be skipped with `skip_minikube=true` +- Can be skipped using `--skip-tags minikube` ### 7. IPTables Rules - Imports [iptables_rules.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/iptables_rules.yml) to configure network rules on deploy_node -- It will configure network forwarding and postrouting rules to route traffic to k8s nodes -- Only runs if Minikube setup isn't skipped, it depends on IP address of k8s nodes from Minikube +- It will configure network forwarding and postrouting rules to route traffic to k8s node +- Runs automatically when using `--tags minikube` ### 8. Wire Artifact Download - Imports [download_artifact.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/download_artifact.yml) to fetch the Wire components -- It is required to download all the artifacts required for further installation like docker images, helm charts etc. -- Can be skipped with `skip_download=true` +- It is required to download all the artifacts required for further installation +- Can be skipped using `--skip-tags download` -### 9. Minikube Node Inventory Setup +### 9. SSH Proxy and Inventory Setup -- The playbook then configures access to the Kubernetes nodes: - - Retrieves the host IP (asset_host) on the Minikube network and Ip addresses for minikube k8s nodes - - Sets up SSH proxy access to cluster nodes by: - - Creating a temporary directory for SSH keys on the localhost - - Writing the private key to a file in the temporary directory - - Adding the above calculated hosts to the Ansible inventory with appropriate SSH settings +The playbook then configures access to the Kubernetes node: +- **Dependency task:** This setup has no tag and runs automatically when `asset_host` or `seed_containers` are selected +- Retrieves the host IP (asset_host) on the Minikube network and Ip addresses for minikube k8s node +- Sets up SSH proxy access to cluster node by: + - Creating a temporary directory for SSH keys on the localhost + - Writing the private key to a file in the temporary directory + - Adding the above calculated hosts to the Ansible inventory with appropriate SSH settings +- Cannot be run independently or skipped manually - controlled entirely by `asset_host` and `seed_containers` components ### 10. Asset Host Setup - Imports [setup-offline-sources.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/setup-offline-sources.yml) to configure the asset host - It will offer wire deployment artifacts as service for further installation -- Can be skipped with `skip_asset_host=true` +- Can be skipped using `--skip-tags asset_host` ### 11. Container Seeding -- Imports [seed-offline-containerd.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/seed-offline-containerd.yml) to seed containers in K8s cluster nodes -- It will seed the docker images shipped for the wire related helm charts in the minikube k8s nodes -- Can be skipped with `skip_setup_offline_seed=true` +- Imports [seed-offline-containerd.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/seed-offline-containerd.yml) to seed containers in K8s cluster node +- It will seed the docker images shipped for the wire related helm charts in the minikube k8s node +- Can be skipped using `--skip-tags seed_containers` + +### 12. Wire helm charts values preparation + +- Imports [wire_values.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/wire_values.yml) to prepare the Helm chart values +- Runs automatically when using `--tags wire_values` -### 12. Wire Secrets Creation + Note: an admin can choose to skip this step if they already have their own values files (from previous similar deployments) and wish to avoid overwriting values. Provide your values in the expected `values/` paths and run the next playbook with appropriate tags. + +### 13. Wire Secrets Creation - Imports [wire_secrets.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/wire_secrets.yml) to create required secrets for wire helm charts -- Only runs if both `skip_wire_secrets` and `skip_helm_install` are false +- Runs automatically when using `--tags helm_secrets` + + Note: an admin can choose to skip this step if they already have pre-created secrets in helm secerts files (from previous similar deployments) and wish to avoid overwriting them. Provide your secrets in the expected `values/` paths (eg. `values/wire-server/secrets.yaml`) and run the next playbook with appropriate tags. -### 13. Helm Chart Installation +### 14. Helm Chart Installation - Imports [helm_install.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/helm_install.yml) to deploy Wire components using Helm - These charts can be configured in [host.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/inventory/demo/host.yml) -- Can be skipped with `skip_helm_install=true` +- Can be skipped using `--skip-tags helm_install` + +### 15. Enable Cert Manager hairpin Networking + +- This step([cert_manager_networking](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/hairpin_networking.yml)) configures hairpin (NAT) behavior on the host so that workloads (for example pods) that need to reach an external/public IP that resolves back to the same node can successfully connect. It performs a check if hairpin networking applies to the current deployment, if so it configures the necessary iptables rules and bridge settings. + +``` +a Pod (same node k8s)→ wants to reach → domain → which resolves to the public IP of the same node +``` -### 14. Temporary Cleanup +If you do not use cert-manager (or you obtain certificates externally) and there is no need for this hairpin behaviour, you can skip this step by using the tag `--skip-tags cert_manager_networking`. + +### 16. Temporary Cleanup - Locates all temporary SSH key directories created during deployment - Lists and removes these directories +- Stop `serve-assets` service on `deploy_node` +- Can be skipped using `--skip-tags cleanup` ## SSH Proxy Configuration The deployment uses an SSH proxy mechanism to access: -1. Kubernetes nodes within the Minikube cluster +1. Kubernetes node within the Minikube cluster 2. The asset host for resource distribution SSH proxying is configured with: - - Dynamic discovery of SSH key paths (uses `ansible_ssh_private_key_file` if defined) - - StrictHostKeyChecking disabled for convenience - - UserKnownHostsFile set to /dev/null to prevent host key verification issues +- Dynamic discovery of SSH key paths (uses `ansible_ssh_private_key_file` if defined) +- StrictHostKeyChecking disabled for convenience +- UserKnownHostsFile set to /dev/null to prevent host key verification issues -## General Tips +## Notes -### Ansible run selective tasks -- You can use ^skip_ variables as environment variables to control the execution flow of the playbook. If these variables are passed, they will skip specific groups of tasks as explained in the [Deployment Flow](#deployment-flow) section. By default, if no variables are passed, all tasks will run in sequence. +- This deployment is only meant for testing, all the datastores are ephemeral +- **Tag-Based Execution with Dependency Protection:** The playbook uses a hybrid approach where main components have tags for user control, while dependency tasks have no tags and are controlled automatically through `when` conditions. This prevents accidental skipping of critical dependencies while maintaining a clean user interface. +- You can use Ansible tags to control the execution flow of the playbook. You can run specific tasks using `--tags` or skip specific tasks using `--skip-tags` as explained in the [Deployment Flow](#deployment-flow) section. By default, if no tags are specified, all tasks will run in sequence. - In case of timeouts or other failures, you can skip tasks that have already been completed by passing the appropriate flags. For example, if the Wire artifact download task fails due to a timeout or disk space issue, you can skip the preceding tasks by using the following command: + In case of timeouts or any failures, you can skip tasks that have already been completed by using the appropriate tags. For example, if the Wire artifact download task fails due to a timeout or disk space issue, you can skip the earlier tasks and resume from download: ```bash -ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/deploy_wiab.yml -e "skip_verify_dns=true skip_install_pkgs=true skip_minikube=true" +ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/deploy_wiab.yml --skip-tags verify_dns,install_pkgs,minikube +``` + Or if you just want to run the final deployment steps: +```bash +ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/deploy_wiab.yml --tags helm_install ``` - This command will skip the DNS verification, package installation, and Minikube cluster configuration tasks, allowing you to resume the playbook from the Wire artifact download task. - -### Iptables behaviour -- All the iptables rules are not persisted after reboots, but they can be regenerated by running the entire pipeline or restored from the `/home/ansible_user/wire-iptables-rules/rules_post_wire.v4` directory. Optionally, we can skip everything else when generating the rules again. +- All the iptables rules are not persisted after reboots, , but they can be regenerated by running just the minikube setup (and `cert_manager_networking` if required) or restored from the `/home/ansible_user/wire-iptables-rules/rules_post_wire.v4` file. ```bash -ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/deploy_wiab.yml -e "skip_setup_offline_seed=true skip_wire_secrets=true skip_asset_host=true skip_download=true skip_install_pkgs=true" +ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/deploy_wiab.yml --tags minikube,cert_manager_networking +# or +iptables-restore < /home/ansible_user/wire-iptables-rules/rules_post_wire.v4 ``` +- The playbook is designed to be idempotent, with tags for each major section - Temporary SSH keys are created and cleaned up automatically - The deployment creates a single-node Kubernetes cluster with all Wire services +## Offline bundle and alternative chart-only deployment + +The deployment playbook downloads an offline bundle that contains: + +- Helm chart tarballs (the charts used by the deployment) +- Docker/container image archives (used to seed Minikube/node container runtime) +- Helper scripts such as `bin/wiab-demo/offline_deploy_k8s.sh` which are sourced during the playbook + +If you already have a working **Kubernetes cluster** and prefer to use it instead of creating local Minikube node, you can skip the Minikube and seeding tasks, and run only the Helm chart installation (tags `wire_values` and `helm_install`). However, the offline bundle is still required to obtain the charts and the docker image archive(s) so you can: + +1. Extract charts from the bundle and point Helm to the extracted chart directories, and +2. Load container images into your cluster from the image archive. + +Typical steps to load images manually (examples — adapt for your runtime): + +```bash +# extract the image archive (example filename, check inside the bundle you downloaded) +tar -xf containers-helm.tar -C /tmp/wiab-images + +# For Docker (on the machine that will load images into the cluster): +for img in /tmp/wiab-images/*.tar*; do docker load -i "$img"; done + +# For containerd (ctr) on a node that uses containerd: +for img in /tmp/wiab-images/*.tar; do sudo ctr -n=k8s.io images import "$img"; done +``` + +Note: Optionally the playbooks `10. Asset Host Setup` and `11. Container Seeding` can also perform these image-extraction and loading steps for you: `setup-offline-sources.yml` will unarchive and host the images via a simple HTTP asset host, and `seed-offline-containerd.yml` will pull/load those images into Minikube node. Those playbooks are tuned for Minikube but can be adapted to work with your own cluster by creating an appropriate inventory and adjusting paths. + +## kubeconfig path used by Helm in this deployment + +Helm commands in the playbook are executed inside a helper Docker container and expect the kubeconfig to be mounted at `{{ ansible_user_dir }}/.kube/config` on the deploy node (the playbook mounts this into the container as `/root/.kube/config`). If you are using your own Kubernetes cluster instead of Minikube, ensure that the kubeconfig for your cluster is available at that path on the deploy node before running the `helm_install` step. + +Small note on values and secrets +- The playbook generates Helm values and secrets files under `{{ ansible_user_dir }}/wire-server-deploy/values/` (for example `values/wire-server/values.yaml` and `values/wire-server/secrets.yaml`). These files can be edited manually before running the `helm_install` step if you need to change chart values or secrets. + +## Available Tags + +The following tags are available for controlling playbook execution: + +### Main Component Tags + +| Tag | Description | Automatic Dependencies | +|-----|-------------|----------------------| +| `verify_dns` | DNS record verification | None | +| `install_pkgs` | Package installation | None | +| `minikube` | Minikube cluster setup | SSH keys setup, IPTables rules | +| `download` | Wire artifact download | None | +| `asset_host` | Asset host configuration | SSH Proxy and Inventory Setup | +| `seed_containers` | Container seeding | SSH Proxy and Inventory Setup| +| `wire_values` | Setup Wire Helm values | None | +| `wire_secrets` | Create Wire secrets | None | +| `helm_install` | Helm chart installation | None | +| `cleanup` | Temporary file cleanup | None | + +### Usage Examples + +- **Run a complete minikube setup:** `ansible-playbook ... --tags minikube` (automatically includes SSH setup and IPTables) +- **Run only helm installation:** `ansible-playbook ... --tags helm_install` +- **Run asset host setup:** `ansible-playbook ... --tags asset_host` (automatically includes SSH Proxy and Inventory Setup) +- **Skip DNS verification:** `ansible-playbook ... --skip-tags verify_dns` +- **Run everything except download:** `ansible-playbook ... --skip-tags download` + ## Trying Things Out At this point, with a bit of luck, everything should be working. If not, refer to the ‘Troubleshooting’ section below. Can you reach the nginz server? -```default +```bash curl -i https://nginz-https./status ``` You should receive a 200 return code: @@ -288,9 +403,9 @@ Can you access the webapp? Open https://webapp. in your browser (Fi #### Why is my ansible-playbook failing? -- Check the error message and review the [requirements](planning.md#what-you-need) section to confirm that all requirements are met. -- See [Ansible run selective tasks](#ansible-run-selective-tasks) to run only the failing tasks. -- If `ansible-playbook` fails at the last step of [Helm Chart Installation](#13-helm-chart-installation), proceed to [Are Wire services running fine?](#are-wire-services-running-fine). +- Check the error message and review the [Requirements](#requirements) section to confirm that all requirements are met. +- See [Notes](#notes) to run only the failing tasks. +- If `ansible-playbook` fails at the last step of [Helm Chart Installation](#14-helm-chart-installation), proceed to [Are Wire services running fine?](#are-wire-services-running-fine). #### What to do if ansible-playbook finished successfully but still unable to access Wire? @@ -302,13 +417,13 @@ There are multiple components that together form a running Wire-server deploymen #### Is networking working fine? -- Verify that the [Network Access Requirements](planning.md#what-you-need) are met for the deploy_node. Check the verbose (-vvvv) output from the `ansible-playbook` command for the [Network Verification](#3-network-verification). -- Ensure that [How to set up DNS records](#dns-requirements) has been followed. Check the verbose (-vvvv) output from the `ansible-playbook` command for the [DNS verification step](#1-dns-verification). +- Verify that the [Network Access Requirements](#requirements) are met for the deploy_node. Check the verbose (-vvvv) output from the `ansible-playbook` command for the [Network Verification](#3-network-verification). +- Ensure that [DNS Requirements](#dns-requirements) has been followed. Check the verbose (-vvvv) output from the `ansible-playbook` command for the [DNS verification step](#1-dns-verification). - Check if iptables rules from Wire installation are in place using the following command: -``` +```bash sudo iptables -t nat -L -nv --line-numbers | grep "Wire Iptables Rules" ``` -- If they are not visible or if you are unable to access the Wire services, refer to [Iptables behaviour](#iptables-behaviour) to reset the iptables rules. +- If they are not visible or if you are unable to access the Wire services, refer to [Notes](#notes) to reset the iptables rules. #### How to check the status of minikube k8s cluster or get access to kubectl? @@ -347,6 +462,32 @@ kubectl --namespace describe - If Wire pods or datastore pods are failing due to Docker image issues, try running some of the steps again using [Ansible run selective tasks](#ansible-run-selective-tasks) and set the flags for [skip_asset_host=true](#10-asset-host-setup) and [skip_setup_offline_seed=true](#11-container-seeding). +#### Confirm if datastore services are working? + +Wire-in-a-Box relies on several backend datastore services to function properly. If you experience issues with service connectivity or user operations, you can use **wire-utility** to troubleshoot and validate the health of these services. + +**Available datastore services to check:** PostgreSQL, Cassandra, Elasticsearch, RabbitMQ, MinIO and Redis. **Note** - Deployed services can differ based on the Wire backend version deployed. + +**Using wire-utility for diagnostics:** + +If wire-utility was successfully deployed (see [Deploy wire-utility](#14-helm-chart-installation) task), you can leverage it to inspect and validate all datastore services. Wire-utility provides comprehensive tooling for: +- Querying datastore status and connectivity +- Running diagnostics to identify service-level issues +- Troubleshooting authentication and access problems + +For detailed instructions on using wire-utility and all available diagnostic commands, refer to the [wire-utility tool documentation](https://docs.wire.com/latest/how-to/administrate/wire-utility-tool.html). + +**Quick health check:** +```bash +# Check all pod statuses, including datastores +kubectl get pods -A -o wide + +# View logs from datastore pods if any are in error state +kubectl logs -n +``` + +If datastore pods are consistently failing, consider redeploying them using the appropriate Ansible tags while keeping application pods intact. + #### How to clean everything and start from a clean state? - Refer to [Cleaning/Uninstalling Wire-in-a-Box](#cleaninguninstalling-wire-in-a-box). - Once cleaned, continue with the installation process again. @@ -360,20 +501,70 @@ kubectl --namespace describe ## Cleaning/Uninstalling Wire-in-a-Box -The deployment includes a cleanup playbook that can be used to remove all the components. For example, the following command includes flags for removing the Minikube cluster (remove_minikube), removing the iptables rules (remove_iptables), removing SSH keys from the deploy_node (remove_ssh), deleting artifacts and Wire files from the deploy_node (remove_artifacts), and removing artifact hosting services from the deploy node (clean_assethost): +The cleanup playbook uses a **safe-by-default** approach with the special `never` tag - **nothing is destroyed unless you explicitly specify tags**. This prevents accidental destruction of your deployment. + +⚠️ **Important:** All cleanup tasks are tagged with `never`, which means they will not run unless explicitly requested. Running the cleanup playbook without any tags will do nothing. + +### Basic Usage + +**No destruction by default:** +```bash +# This does NOTHING - safe by design (all tasks have 'never' tag) +ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/clean_cluster.yml +``` + +**Explicit destruction required:** +```bash +# Remove specific components using tags (overrides 'never' tag) +ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/clean_cluster.yml --tags remove_minikube,remove_artifacts +``` + +### Available Cleanup Tags + +| Tag | Description | What Gets Destroyed | +|-----|-------------|-------------------| +| `remove_minikube` | Stops and deletes the Kubernetes cluster | Minikube cluster, all pods, services, data | +| `remove_packages` | Removes installed packages | Docker, kubectl, yq, ncat, minikube binary | +| `remove_iptables` | Restores pre-installation network rules | All Wire-related network forwarding rules | +| `remove_ssh` | Removes generated SSH keys | Wire-specific SSH keys from deploy node | +| `remove_artifacts` | Deletes downloaded deployment files | Wire artifacts, tarballs, temporary files | +| `clean_assethost` | Stops asset hosting service | Asset hosting service and related files | + +### Common Cleanup Scenarios + +**Quick cleanup after testing:** +```bash +# Remove cluster and artifacts but keep packages for next deployment +ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/clean_cluster.yml --tags remove_minikube,remove_artifacts +``` + +**Complete cleanup:** +```bash +# Remove everything (use with caution!) +ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/clean_cluster.yml --tags remove_minikube,remove_packages,remove_iptables,remove_ssh,remove_artifacts,clean_assethost +``` + +**Network cleanup only:** +```bash +# Just restore network rules (useful after network issues) +ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/clean_cluster.yml --tags remove_iptables +``` + +**Development workflow:** +```bash +# Reset deployment but keep packages and SSH keys +ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/clean_cluster.yml --tags remove_minikube,remove_artifacts,clean_assethost +``` +**Package cleanup:** ```bash -ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/clean_cluster.yml -e "remove_minikube=true remove_iptables=true remove_ssh=true remove_artifacts=true clean_assethost=true" +# Remove installed packages (be careful - may affect other applications) +ansible-playbook -i ansible/inventory/demo/host.yml ansible/wiab-demo/clean_cluster.yml --tags remove_packages ``` -**Note:** The above command does not uninstall the Debian packages and binaries installed during the setup. This is an intentional design choice to avoid removing packages that may be required by the other users on the deploy_node later. If you wish to proceed with cleaning these packages, you can add the variable -e uninstall_pkgs=true. +### Safety Features -The cleanup process handles: - - **Minikube**: Stops and deletes the Kubernetes cluster (optional `remove_minikube=true`) - - **Packages**: Removes installed dependencies including Docker, kubectl, yq, etc. (optional `uninstall_pkgs=true`). **Note**: Verify the playbook before removing packages, it might remove pre-existing packages. - - **IPTables**: Restores pre-installation network rules (optional `remove_iptables=true`) - - **SSH Keys**: Removes generated SSH keys (optional `remove_ssh=true`) - - **Artifacts**: Deletes downloaded deployment artifacts (optional `remove_artifacts=true`) - - **Asset Host**: Stops the asset hosting service and cleans up related files (optional `clean_assethost=true`) +- **Nothing runs by default:** The playbook requires explicit tags to perform any destruction +- **Granular control:** You choose exactly what to destroy -Each cleanup operation can be enabled/disabled independently with the corresponding variables. +⚠️ **Warning:** Package removal (`remove_packages`) may affect other applications on the server. Use with caution in shared environments. diff --git a/src/how-to/install/planning.md b/src/how-to/install/planning.md index a3e24aa..80d9853 100644 --- a/src/how-to/install/planning.md +++ b/src/how-to/install/planning.md @@ -24,23 +24,24 @@ Please note your data will be in-memory only and may disappear at any given mome - To ease out the process of managing certs, we recommend using [Let\'s Encrypt](https://letsencrypt.org/getting-started/) & [cert-manager](https://cert-manager.io/docs/tutorials/acme/http-validation/) - **Network**: No interference from UFW or other system specific firewalls, and IP forwarding enabled between network cards. Public internet access to download Wire artifacts and Ubuntu packages. -- **Packages**: Ansible and Git installed on the localhost (any machine you have access to) +- **Packages**: Ansible and unzip (or git) on the localhost (any machine you have access to) - Ansible version: [core 2.16.3] or compatible - **Permissions**: Sudo access required for installation on remote_node -- **Deployment requirements**: - - Clone of [wire-server-repository](https://github.com/wireapp/wire-server-deploy) and editing `ansible/inventory/demo/host.yml` as explained in [Deployment requirements](demo-wiab.md#deployment-requirements) +- **Ansible Playbooks**: + - The `ansible` directory from [wire-server-deploy repository](https://github.com/wireapp/wire-server-deploy) + - Obtain it using **either** method: + - **Download as ZIP:** [wire-server-deploy/archive/master.zip](https://github.com/wireapp/wire-server-deploy/archive/refs/heads/master.zip) (requires unzip) + - **Clone with Git:** `git clone https://github.com/wireapp/wire-server-deploy.git` (requires git) - **Network Access Requirements**: -| Protocol | Direction | Start Port | End Port | Ether Type | IP Range | Reason | -|----------|-----------|------------|----------|------------|------------|---------------------------------------------| -| Any | egress | Any | Any | IPv4 | Any | Allow all outgoing IPv4 traffic | -| Any | egress | Any | Any | IPv6 | Any | Allow all outgoing IPv6 traffic | -| tcp | ingress | 22 | 22 | IPv4 | 0.0.0.0/0 | Allow SSH access | -| tcp | ingress | 443 | 443 | IPv4 | 0.0.0.0/0 | Allow HTTPS traffic | -| tcp | ingress | 80 | 80 | IPv4 | 0.0.0.0/0 | Allow HTTP traffic | -| tcp | ingress | 3478 | 3478 | IPv4 | 0.0.0.0/0 | Allow alternative STUN/TURN traffic over TCP| -| udp | ingress | 3478 | 3478 | IPv4 | Any | Allow STUN/TURN traffic for Coturn | -| udp | ingress | 49152 | 65535 | IPv4 | 0.0.0.0/0 | Allow calling traffic for Coturn over UDP | +| Protocol | Port(s) | Purpose | +|----------|-------------|--------------------------------------------| +| TCP | 22 | SSH access (for remote management) | +| TCP | 80 | HTTP (certificate renewal) | +| TCP | 443 | HTTPS (primary Wire access) | +| TCP | 3478 | Alternative STUN/TURN traffic | +| UDP | 3478 | STUN/TURN for voice/video calls | +| UDP | 32768-65535 | Voice/video calling traffic (Coturn/SFTD) | - Note: If outbound traffic is restricted, [Note on port ranges](https://docs.wire.com/latest/understand/notes/port-ranges.html) should be followed. From d462a77194026e7bee0e8bd2d780266092466b07 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Wed, 26 Nov 2025 11:22:44 +0100 Subject: [PATCH 3/7] update redundant parts in demo-wiab --- src/how-to/install/demo-wiab.md | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/src/how-to/install/demo-wiab.md b/src/how-to/install/demo-wiab.md index 084508d..bd81506 100644 --- a/src/how-to/install/demo-wiab.md +++ b/src/how-to/install/demo-wiab.md @@ -113,19 +113,6 @@ For more detailed instructions on each task, please refer to the [Deployment Flo Note: the playbook installs a set of system tools during the `install_pkgs` tasks (for example `docker`/`containerd`, `kubectl`, `minikube` when provisioning a cluster, `yq`, `jq`, `ncat`). If you already have these tools on the deploy node you may skip the `install_pkgs` tag when running the playbook. -- **Network Access Requirements**: - -| Protocol | Port(s) | Purpose | -|----------|-------------|--------------------------------------------|| -| TCP | 22 | SSH access (for remote management) | -| TCP | 80 | HTTP (certificate renewal) | -| TCP | 443 | HTTPS (primary Wire access) | -| TCP | 3478 | Alternative STUN/TURN traffic | -| UDP | 3478 | STUN/TURN for voice/video calls | -| UDP | 32768-65535 | Voice/video calling traffic (Coturn/SFTD) | - -- Note: If outbound traffic is restricted, [Note on port ranges](https://docs.wire.com/latest/understand/notes/port-ranges.html) should be followed. - ## DNS Requirements - two DNS records for the so-called "nginz" component of wire-server (the main REST API entry point), these are usually called `nginz-https.` and `nginz-ssl.` From 2ddbc2a1b74508535c43ccca40bba88e7fd2eb3d Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 27 Nov 2025 16:31:03 +0100 Subject: [PATCH 4/7] fix wpb-17321: update docs for secrets management and cert_manager_networking example --- src/how-to/install/demo-wiab.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/how-to/install/demo-wiab.md b/src/how-to/install/demo-wiab.md index bd81506..08f5ed6 100644 --- a/src/how-to/install/demo-wiab.md +++ b/src/how-to/install/demo-wiab.md @@ -95,7 +95,7 @@ This guide provides detailed instructions for deploying Wire-in-a-Box (WIAB) usi Note: this guide and the shipped playbooks are highly tailored to make testing straightforward on a single VM that has a public IP address. Using a public IP simplifies obtaining HTTPS certificates (for example via cert-manager HTTP challenges) and making external call configurations during tests. If you need to deploy in a private or restricted network, the playbooks can be tuned: skip or enable components via Ansible tags and adjust Helm chart values (see the `--tags` / `--skip-tags` usage below and the `values/` files generated by the playbooks). -Typically, the deployment process runs seamlessly without requiring any external flags. However, if needed, you can skip certain tasks using their associated tags. For example, if you wish to skip the Enable Cert Manager hairpin Networking task—which is only required when using cert-manager with Let's Encrypt—you can use --skip-tags cert_manager_networking and configure your own certificates instead (see Bring your own certificates([./docs_ubuntu_22.04.md#bring-your-own-certificates](https://github.com/wireapp/wire-server-deploy/blob/master/offline/docs_ubuntu_22.04.md#bring-your-own-certificates)). +Typically, the deployment process runs seamlessly without requiring any external flags. However, if needed, you can skip certain tasks using their associated tags. For example, if you wish to use your own certificates instead of Let's Encrypt, you can use `--skip-tags cert_manager_networking` to skip cert-manager deployment and related networking configuration. For detailed instructions, see [Bring your own certificates](https://github.com/wireapp/wire-server-deploy/blob/master/offline/docs_ubuntu_22.04.md#bring-your-own-certificates). For more detailed instructions on each task, please refer to the [Deployment Flow section](#deployment-flow). @@ -233,6 +233,7 @@ The playbook then configures access to the Kubernetes node: - Imports [wire_values.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/wire_values.yml) to prepare the Helm chart values - Runs automatically when using `--tags wire_values` +- The playbook backs up existing values files before replacing them. Note: an admin can choose to skip this step if they already have their own values files (from previous similar deployments) and wish to avoid overwriting values. Provide your values in the expected `values/` paths and run the next playbook with appropriate tags. @@ -240,6 +241,8 @@ The playbook then configures access to the Kubernetes node: - Imports [wire_secrets.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/wire_secrets.yml) to create required secrets for wire helm charts - Runs automatically when using `--tags helm_secrets` +- The playbook is idempotent: it won't regenerate secrets if they already exist from a previous run +- If existing secret files are present (e.g., `values/wire-server/secrets.yaml`), the playbook backs them up before replacing them Note: an admin can choose to skip this step if they already have pre-created secrets in helm secerts files (from previous similar deployments) and wish to avoid overwriting them. Provide your secrets in the expected `values/` paths (eg. `values/wire-server/secrets.yaml`) and run the next playbook with appropriate tags. @@ -355,6 +358,7 @@ The following tags are available for controlling playbook execution: | `wire_values` | Setup Wire Helm values | None | | `wire_secrets` | Create Wire secrets | None | | `helm_install` | Helm chart installation | None | +| `cert_manager_networking` | Enable Cert Manager hairpin Networking | None | | `cleanup` | Temporary file cleanup | None | ### Usage Examples From 11f72a661cd6c88bd5c38a80adc76430b592a0fb Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 4 Dec 2025 11:05:21 +0100 Subject: [PATCH 5/7] fix: update repo_url to point to wire-server --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index 28334af..e47e082 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,7 +1,7 @@ site_name: Wire Docs docs_dir: src site_url: "https://docs.docs.com" -repo_url: https://github.com/wireapp/wire-docs +repo_url: https://github.com/wireapp/wire-server edit_uri: edit/main/src/ site_author: Wire Authors site_description: "Wire Documentation" From cb4b896a1f69276cbd1509c610ef003fbc12a9c6 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 4 Dec 2025 11:06:09 +0100 Subject: [PATCH 6/7] fix: wpb-17321 update the documentation and diagram for demo-wiab --- src/how-to/install/demo-wiab.md | 96 +++++++++++++-------------------- 1 file changed, 37 insertions(+), 59 deletions(-) diff --git a/src/how-to/install/demo-wiab.md b/src/how-to/install/demo-wiab.md index 08f5ed6..d698e1f 100644 --- a/src/how-to/install/demo-wiab.md +++ b/src/how-to/install/demo-wiab.md @@ -28,67 +28,40 @@ The flow diagram of the Demo setup: ```mermaid graph TB - %% External components - WebClients["🖥️ Web Clients/Android/iOS
Clients"] - AnsibleNode["📋 Ansible node"] + Client["🖥️ Clients"] + Admin["📋 Admin
⬇️ Download wire-server-deploy"] - %% Main deploy_node containing all components - subgraph DeployNode ["🖥️ deploy_node"] - %% NIC on the node - NIC["🌐 NIC (Public/Private)
ssh/https/Coturn UDP
traffic"] - - %% Iptables NAT rules on the node - NAT["🔄 Iptables NAT rules
redirect external traffic
to k8s pods"] - - %% Wire server deployment on the node - WireServerDownload["📥 Download wire-server-
deploy-static-demo-*.tgz
and start assets.service"] - - %% Docker/k8s environment on the node - subgraph DockerK8s ["🐳 Docker - minikube k8s"] - SeedContainer["seed-offline-containerized
(loads all the containers)"] - - subgraph HelmCharts ["Helm Charts:
fake-sws | demo-smtp | rabbitmq
databases-ephemeral | wire-server
webapp | account-pages | team-settings
ingress-nginx-controller
nginx-ingress-services
coturn | SFT"] - end + subgraph Node ["deploy_node"] + IPTables["🔄 iptables rules"] + Download["📥 Artifacts
Helm Charts
Docker Images"] + subgraph K8s ["Minikube K8s"] + Seeds["🐳 Container Images + 📦 Helm Charts
wire-server | wire-utility
databases | coturn"] + Wire["🚀 Wire Services
💬 Messaging | ☎️ Calls"] end end - - - GitCommands["🖥️ git clone github.com/wireapp/wire-server-deploy.git
cd wire-server-deploy
ansible-playbook -i ansible/inventory/demo/host.yml
ansible/wiab-demo/deploy_wiab.yml"] - - %% Traffic flows - %% Wire application traffic from clients - WebClients -->|"🔵 Wire App Traffic
(https/websocket)"| NIC - NIC --> NAT - NAT -->|"Route to k8s pods"| DockerK8s + Admin -->|"SSH/Ansible"| IPTables + Client -->|"HTTPS/UDP"| IPTables + IPTables --> K8s - %% SSH/Ansible configuration traffic - AnsibleNode -->|"🟢 SSH/Ansible Traffic
(configuration)"| NIC - AnsibleNode --> GitCommands + Download --> Seeds + Seeds --> Wire - %% Internal connections on deploy_node - WireServerDownload -->|"Seeds"| SeedContainer - SeedContainer -->|"docker image loads"| HelmCharts - - %% Color coding based on legend - softer colors for better readability - classDef yellow fill:#fff9c4,stroke:#666,stroke-width:1px,color:#4a4a4a - classDef blue fill:#e3f2fd,stroke:#666,stroke-width:1px,color:#1565c0 - classDef green fill:#e8f5e8,stroke:#666,stroke-width:1px,color:#2e7d32 - classDef red fill:#ffebee,stroke:#666,stroke-width:1px,color:#c62828 - classDef purple fill:#f3e5f5,stroke:#666,stroke-width:1px,color:#7b1fa2 - classDef rose fill:#fce4ec,stroke:#666,stroke-width:1px,color:#c2185b - classDef orange fill:#fff3e0,stroke:#666,stroke-width:1px,color:#ef6c00 - classDef gray fill:#f5f5f5,stroke:#666,stroke-width:1px,color:#616161 + classDef client fill:#e3f2fd,stroke:#1976d2,stroke-width:2px + classDef admin fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px + classDef network fill:#fff9c4,stroke:#f57f17,stroke-width:2px + classDef download fill:#e0f2f1,stroke:#00897b,stroke-width:2px + classDef k8s fill:#ffe0b2,stroke:#e65100,stroke-width:2px + classDef seeds fill:#ffccbc,stroke:#bf360c,stroke-width:2px + classDef wire fill:#c8e6c9,stroke:#2e7d32,stroke-width:2px - %% Apply colors according to legend and function - class DeployNode yellow - class WireServerDownload,NAT blue - class HelmCharts,SeedContainer green - class DockerK8s red - class NIC purple - class WebClients rose - class AnsibleNode orange - class GitCommands gray + class Client client + class Admin admin + class IPTables network + class Download download + class K8s k8s + class Seeds seeds + class Wire wire ``` This guide provides detailed instructions for deploying Wire-in-a-Box (WIAB) using Ansible on an Ubuntu 24.04 system. The deployment process is structured into multiple blocks within the Ansible playbook, offering flexibility in execution. It is designed to configure a remote node, such as example.com (referred to as deploy_node), to install Wire with a custom domain, example.com (referred to as target_domain). These variables must be verified in the file [ansible/inventory/demo/host.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/inventory/demo/host.yml) before running the pipeline. @@ -229,13 +202,18 @@ The playbook then configures access to the Kubernetes node: - It will seed the docker images shipped for the wire related helm charts in the minikube k8s node - Can be skipped using `--skip-tags seed_containers` -### 12. Wire helm charts values preparation +### 12. Wire Helm Chart Values Preparation - Imports [wire_values.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-demo/wire_values.yml) to prepare the Helm chart values -- Runs automatically when using `--tags wire_values` -- The playbook backs up existing values files before replacing them. +- Runs in two scenarios: + - When running the **full playbook** (no tags specified) + - When **both** `wire_values` **and** `helm_install` tags are explicitly passed: `--tags wire_values,helm_install` +- Will be **skipped** if only `--tags wire_values` or only `--tags helm_install` is passed +- The playbook backs up existing values files before replacing them - Note: an admin can choose to skip this step if they already have their own values files (from previous similar deployments) and wish to avoid overwriting values. Provide your values in the expected `values/` paths and run the next playbook with appropriate tags. +**Note:** An admin can skip this step by: +- Running only `--tags helm_install` (if values already exist from previous deployments) +- Providing pre-created values files in the expected `values/` paths and using `--skip-tags wire_values` ### 13. Wire Secrets Creation @@ -355,7 +333,7 @@ The following tags are available for controlling playbook execution: | `download` | Wire artifact download | None | | `asset_host` | Asset host configuration | SSH Proxy and Inventory Setup | | `seed_containers` | Container seeding | SSH Proxy and Inventory Setup| -| `wire_values` | Setup Wire Helm values | None | +| `wire_values` | Setup Wire Helm values | Requires `helm_install` tag | | `wire_secrets` | Create Wire secrets | None | | `helm_install` | Helm chart installation | None | | `cert_manager_networking` | Enable Cert Manager hairpin Networking | None | From 2065c5f1961784f9327c72a94ebe74764eee0633 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Thu, 4 Dec 2025 11:06:52 +0100 Subject: [PATCH 7/7] fix: update the wire-server submodule --- wire-server | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wire-server b/wire-server index 25e1fe9..d6edef7 160000 --- a/wire-server +++ b/wire-server @@ -1 +1 @@ -Subproject commit 25e1fe9106e26640569988291e501bebfa56ca98 +Subproject commit d6edef799079ca8887229094b229cf10dbb658a2